Traffic is dropped for IPsec with firewall4

Installing and Using OpenWrt Network and Wireless Configuration
2

Good news! I think I did solve it.

The trick is to use meta ipsec exists in the nftables rules for the INPUT and FORWARD chain. Also the subnet for the VPN firewall zone must be excluded from masquerading. Create a script /etc/fwuser.nft in nftables-style

# /etc/fwuser.nft
meta ipsec exists ip saddr 10.10.20.0/29 counter accept comment "custom: allow for vpn"

...and include it in your /etc/config/firewall configuration by adding the following sections:

config include                        
        option type             'nftables'
        option path             '/etc/fwuser.nft'
        option position         'chain-pre'     
        option chain            'input_wan'
           
config include                        
        option type             'nftables'
        option path             '/etc/fwuser.nft'
        option position         'chain-pre'
        option chain            'forward_wan'

Also, make sure to exempt the subnet for your vpn firewall zone from masquerading by adding the following to your wan zone:

list masq_dest		'!10.10.20.0/29'

For completeness I add my complete firewall config.

complete /etc/config/firewall 
config defaults
	option input			'ACCEPT'
	option output			'ACCEPT'
	option forward			'REJECT'
	option synflood_protect		'1'
	option flow_offloading		'1'
	option flow_offloading_hw	'1'

config zone
	option name		'wan'
	list network		'WAN'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1
	list masq_dest		'!10.10.20.0/29'

config zone
	option name		'home'
	list network		'HOME'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		'vpn'
	list network		'VPN'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT
	option masq		1

config forwarding
	option src		home
	option dest		wan

config forwarding
	option src		vpn
	option dest		home

config forwarding
	option src		vpn
	option dest		wan

config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option target		ACCEPT
	option family		ipv4

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option target		ACCEPT
	option family		ipv4

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan   
	option dest_port	500
	option proto		udp
	option target		ACCEPT

config rule
	option name		Allow-IPSec-NAT
	option src		wan
	option dest_port	4500
	option proto		udp
	option target		ACCEPT

config rule
	option name		Allow-IPSec-AH
	option src		wan
	option proto		ah
	option target		ACCEPT

### ##################### ###        
###    I N C L U D E S    ###        
### ##################### ###         
                                      
config include                        
        option type             'nftables'
        option path             '/etc/fwuser.nft'
        option position         'chain-pre'     
        option chain            'input_wan'
           
config include                        
        option type             'nftables'
        option path             '/etc/fwuser.nft'
        option position         'chain-pre'
        option chain            'forward_wan'
1 Like